Objectives for managing cyber supply chain risk

Cyber-based products and services are acquired through supply chains that typically involve numerous suppliers of hardware, firmware and software components and services sourced globally. When acquisition objectives and their concomitant requirements are not rigorously defined and managed, the cyber-based products and services can pose operational risks to end user organizations and possibly to society if security, reliability and/or safety are compromised, especially in critical infrastructure sectors. However, there is some disagreement about the fundamental objectives of cyber supply chain risk management. Objectives such as trustworthiness, integrity, security and reliability are often noted as key, while safety and other objectives are often omitted. Divergent guidance further compounds the difficulties encountered by an acquiring organization in writing meaningful requirements or policies for managing supply chain risk - whether from products and services, or to the operation of the supply chain, or to sensitive supply chain information. This paper recommends a set of objectives for cyber supply chain risk management and examines the connotations of each objective with the intent to improve risk coverage. It then examines the tradeoffs among the various objectives that acquirers and suppliers make and the trust assumptions that can result in risk exposure. Awareness of the tradeoffs and the degree to which organizations value one objective over another helps clarify their risk tolerance or risk appetite and enables them to apply appropriate management controls.